144 matches found
GHSA-M54H-VHF9-3W3M BBOT: Arbitrary File Write in postman_download Module
The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...
EUVD-2026-37818
BBOT: Arbitrary File Write in postmandownload Module...
CVE-2026-12568
The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...
CVE-2026-12568
The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...
CVE-2026-12568 Arbitrary File Write in postman_download module
The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...
CVE-2026-12568
The CVE-2026-12568 entry affects the postman_download module. The root cause is unsanitized use of the workspace name field from the Postman API to build the local output directory path; if the workspace name contains path traversal characters, pathlib resolves outside the intended directory, ena...
PT-2026-50563
Name of the Vulnerable Software and Affected Versions Postman Download Module affected versions not specified Description The postman download module fails to sanitize the workspace name field retrieved from the Postman API when constructing local directory paths. A malicious workspace name...
org.webjars.npm:file-entry-cache (>=5.0.1 <=6.0.1), org.webjars.npm:flat-cache (>=2.0.1 <=3.0.4) +6 more potentially affected by CVE-2026-33228 via org.webjars.npm:flatted (>=2.0.1 <=3.3.4)
org.webjars.npm:flatted MAVEN version =2.0.1, =5.0.1, =2.0.1, =3.3.1, =0.3.16, =0.2.107, =1.1.13, =0.1.30, =1.7.6, =2.0.2 Source cves: CVE-2026-33228 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15700434...
org.webjars.npm:file-entry-cache (>=5.0.1 <=6.0.1), org.webjars.npm:flat-cache (>=2.0.1 <=3.0.4) +6 more potentially affected by CVE-2026-32141 via org.webjars.npm:flatted (>=2.0.1 <=3.3.4)
org.webjars.npm:flatted MAVEN version =2.0.1, =5.0.1, =2.0.1, =3.3.1, =0.3.16, =0.2.107, =1.1.13, =0.1.30, =1.7.6, =2.0.2 Source cves: CVE-2026-32141 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15518042...
CVE-2026-28408
WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionartipodocsatendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like...
CVE-2017-18603
The postman-smtp plugin through 2017-10-04 for WordPress has XSS via the wp-admin/tools.php?page=postmanemaillog page parameter...
CVE-2025-15095
CVE-2025-15095 affects postmanlabs httpbin up to 0.6.1. The flaw is in httpbin-master/httpbin/core.py, enabling cross-site scripting via manipulated input. Exploitation is remote and publicly disclosed. Multiple sources confirm the vulnerability, but remediation notes vary and, in at least one en...
httpbin 代码注入漏洞
httpbin is an open source HTTP request and response service from Postman Inc. A code injection vulnerability exists in httpbin version 0.6.1 and earlier, which stems from a flaw in the file httpbin-master/httpbin/core.py and could lead to a cross-site scripting attack...
Malicious code in @postman/secret-scanner-wasm (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b5d1604689ef91985fbc1fe9f8958eb7a50835e71b7cfa4125de687ca37c2d19 The package @postman/secret-scanner-wasm was found to contain malicious code. Source: google-open-source-security...
EUVD-2025-198920
Malicious code in @postman/pm-bin-macos-x64 npm...
MAL-2025-190903 Malicious code in @postman/pm-bin-linux-x64 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 94045a09bfa0905195be4f028d9e42bcf608154a645b14b2028754dc6e787b80 The package @postman/pm-bin-linux-x64 was found to contain malicious code. Source: google-open-source-security...
MAL-2025-190902 Malicious code in @postman/mcp-ui-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 63316f530f87ac69078cc5b93dfdbc1a58d62f1f37a663f8bf40cb5489f4defc The package @postman/mcp-ui-client was found to contain malicious code. Source: google-open-source-security...
Malicious code in @postman/postman-collection-fork (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 64948ce72be9099e788f3fd4ab6f5a1a67d0012429ae4e198bc7baa85a5197dd The package @postman/postman-collection-fork was found to contain malicious code. Source: google-open-source-security...
Malicious code in @postman/pm-bin-windows-x64 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02ae17f856e11e19fc956689bbc3e88c8de0052e0ea1017d2048d92f20bfa91b The package @postman/pm-bin-windows-x64 was found to contain malicious code. Source: google-open-source-security...
MAL-2025-190911 Malicious code in @postman/secret-scanner-wasm (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b5d1604689ef91985fbc1fe9f8958eb7a50835e71b7cfa4125de687ca37c2d19 The package @postman/secret-scanner-wasm was found to contain malicious code. Source: google-open-source-security...